Cybercriminals continue to exploit Microsoft Word and Excel documents as conduits for malware delivery as we advance through 2025. These methods remain effective, leveraging phishing tactics and zero-click exploits to infiltrate targets with relative ease, particularly in corporate settings where Office documents are routinely shared.
This year, there are three prominent exploits linked to Microsoft Office that warrant attention for their ongoing prevalence and effectiveness.
Phishing via MS Office: A Long-Standing Tactic
Phishing schemes utilizing Microsoft Office files have persisted due to their effectiveness in business environments. Cybercriminals understand that employees often feel comfortable opening Office documents, especially when they appear to come from trusted sources such as colleagues or clients. It does not take much to deceive an individual into clicking on a malicious file disguised as an invoice, report, or offer. Once the file is opened, the attacker gains the required access.
Such phishing attacks frequently aim to harvest login credentials. The malicious documents may contain:
• Links directing to counterfeit Microsoft 365 login pages
• Phishing portals mimicking legitimate company tools
• Redirect chains leading to credential-stealing sites
An illustrative session conducted in the ANY.RUN malware analysis platform showcased an Excel file embedding a phishing link, demonstrating these tactics in action. When the link is clicked, the victim encounters a Cloudflare verification page before being redirected again to a bogus Microsoft login page. Despite their convincing appearance, indicators within the ANY.RUN sandbox reveal discrepancies that expose these links as fraudulent. The non-standard URL is filled with random characters and does not match Microsoft’s official domains.
CVE-2017-11882: A Persistent Threat
Discovered in 2017, CVE-2017-11882 continues to be utilized in attacks against systems running outdated versions of Microsoft Office. This vulnerability targets the seldom-used Microsoft Equation Editor embedded in older Office versions, allowing attackers to execute malicious code merely by opening an affected Word document without any additional user action.
In a recent analysis, an exploit utilizing this flaw delivered the Agent Tesla payload, an information-stealer designed to capture keystrokes, credentials, and clipboard data. Although mitigations have been introduced by Microsoft, legacy systems lacking updates remain vulnerable. With macros disabled by default in more recent Office versions, the Equation Editor exploit serves as a fallback option for attackers seeking guaranteed execution.
CVE-2022-30190: The Follina Exploit
The Follina vulnerability (CVE-2022-30190) has garnered attention due to its ability to operate without the need for macros or extensive user interaction. This exploit leverages the Microsoft Support Diagnostic Tool (MSDT) and special URLs embedded within Office documents, enabling attackers to execute remote code simply by having the victim view the document. Observations in the ANY.RUN sandbox indicated that the attack used steganography techniques, hiding malicious payloads within image files that are then executed through PowerShell, further complicating detection efforts.
Follina’s use in multi-stage attack sequences showcases its adaptability, encouraging the integration of additional vulnerabilities to amplify the impact of an attack.
Implications for MS Office Users
For organizations heavily reliant on Microsoft Office, awareness of these ongoing threats is critical. Cybercriminals exploit the inherent trust placed in Office files, making them effective vessels for phishing and malicious code execution. From seemingly harmless Excel sheets to deceptive Word documents, the risks are substantial.
In light of these vulnerabilities, it is imperative for businesses to review internal protocols regarding the handling of Office documents, ensuring stringent controls over external file sources. Utilizing tools like ANY.RUN for safe inspection of suspicious files prior to opening them can significantly reduce risks. Regular software updates and disabling outdated features further add layers of security against known exploits.
The threat landscape extends beyond conventional Office files, encompassing mobile platforms increasingly targeted by malicious actors through deceptive applications and links. Ensuring a comprehensive security posture across both desktop and mobile ecosystems is essential for adequate defense against evolving cyber threats.
Focusing on robust threat analysis and utilizing platforms that facilitate visibility into both environments can enhance an organization’s overall cybersecurity resilience, ensuring preparedness against emerging and re-emerging threats.
